Over 800 different Android apps that have been downloaded millions of times from Google Play Store found to be infected with malicious ad library that silently collects sensitive user data and can perform dangerous operations.

Dubbed "Xavier," the malicious ad library, initially emerged in September 2016, is a member of AdDown malware family, potentially posing a severe threat to millions of Android users.

Since 90 percent of Android apps are free for anyone to download, advertising on them is a key revenue source for their developers. For this, they integrate Android SDK Ads Library in their apps, which usually doesn't affect an app's core functionality.

The previous variant of Xavier Ad library was a simple adware with an ability to install other APKs silently on the targeted devices, but in the latest release, the malware author has replaced those features with more sophisticated ones, including:

Evade Detection: Xavier is smart enough to escape from being analyzed, from both static and dynamic malware analysis, by checking if it is being running in a controlled environment (Emulator), and using data and communication encryptions.

Remote Code Execution: The malware has been designed to download codes from a remote Command & Control (C&C) server, allowing hackers to remotely execute any malicious code on the targeted device.

Info-Stealing Module: Xavier is configured to steal devices and user related information, which includes user’ email address, Device id, model, OS version, country, manufacturer, sim card operator, resolution, and Installed apps.​According to the researchers, the highest number of infected users are from Southeast countries in Asia such as Vietnam, Philippines, and Indonesia, with a fewer number of downloads are from the United States and Europe.